CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10316 – Stratum – Elementor Widgets <= 1.4.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
https://notcve.org/view.php?id=CVE-2024-10316
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.4 in includes/templates/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. • https://www.wordfence.com/threat-intel/vulnerabilities/id/0a1cf60b-47bd-4e67-8fe4-6cf46809f2b2?source=cve https://plugins.trac.wordpress.org/changeset/3189021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5611 – Stratum – Elementor Widgets <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
https://notcve.org/view.php?id=CVE-2024-5611
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘label_years’ attribute within the Countdown widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Stratum – Elementor Widgets para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del atributo 'label_years' dentro del widget Countdown en todas las versiones hasta la 1.4.1 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/stratum/tags/1.4.0/includes/templates/countdown.php#L66 https://plugins.trac.wordpress.org/changeset/3102765#file1 https://www.wordfence.com/threat-intel/vulnerabilities/id/840dd4a9-103a-4ff9-ba26-3bf5b6e831a1?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •